Facebook bug gave developers access to private photos of 6.8 million users

Facebook says the bug existed for 12 days and was fixed promptly after discovery on Sept. 25.
Facebook, social media, mobile

Facebook said Friday that a bug on its platform exposed 6.8 million users’ private photos to developers for 12 days in September.

The flaw was in Facebook’s photo API, the company said, and accidentally gave developers access to private photos. The API should only allow authorized applications to access public photos on users’ timelines.

“In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post,” Facebook engineering director Tomer Bar said in a blog post.  “We’re sorry this happened.”

The bug seems to have impacted 1,500 apps made by 876 developers, according to the blog post. Bar said Facebook will be rolling out a feature for app developers to see which of their users were affected by the bug and “will be working with those developers to delete the photos from impacted users.”


For now, users can check whether or not their photos were exposed on a Facebook help page here.

Bar said it existed from Sept. 13 to Sept. 25. Facebook discovered and remedied the bug on Sept. 25, TechCrunch reported.

It’s not clear why Facebook took nearly two months to disclose the photo API bug. It’s worth noting that Sept. 25 is also the date the company discovered a vulnerability that gave hackers access to 30 million users’ login tokens — a much more serious security flaw. Facebook disclosed that bug within days.

The social media giant has been under fire over the past several months because of the way it manages user data. Much of the recent criticism started with the Cambridge Analytica ordeal, which showed that developers were abusing access to users’ data through APIs for political purposes.

Facebook did not say whether the bug disclosed Friday was abused by developers. It’s not clear whether developers even knew they had access to more than what they were supposed to.

Latest Podcasts